When creating an api key does run-as override the other settings?

Russell_Fulton · January 31, 2023, 12:28am

I created an API key and left the other settings apart from run-as as default (i.e. wide open) and set run as to a user with a role that has the desired priviliges.

Will this key have the restriction of the assigned role?

I would hope yes! : )

Yang_Wang · January 31, 2023, 4:14am

Did you create the API key with something like the following

POST _security/api_key
{
  "name": "k1",
  "role_descriptors": {
    "x": {
      "run_as": [
        "foo"
      ]
    }
  }
}

If yes, the API key will only have the privilege to run-as user foo and nothing else.

Russell_Fulton · February 1, 2023, 6:22pm

Thanks!

Ah! I should have been more explicit. I generated the key in kibana. So should cut everything except the run-as entry?

My reasoning was that if the key ran as a particular user then that would define the actual access.

Yang_Wang · February 2, 2023, 3:12am

That's correct

Topic		Replies	Views
Elasticsearch: Create API Key based on role? Elasticsearch elastic-stack-security	3	1746	March 15, 2022
Parameter run_as for "role" Elasticsearch elastic-stack-security	2	1052	July 6, 2017
Create a role with dynamic "run_as" field Elasticsearch elastic-stack-security	2	435	March 17, 2019
How to create API Key for user with `viewer` role? Kibana elastic-stack-security	8	4079	December 6, 2022
401 after updating API Key role descriptors Elasticsearch elastic-stack-security , language-clients	9	1112	April 13, 2023

When creating an api key does run-as override the other settings?

Related topics